rksh - restricted shell

Instead of giving the user everything and taking away a few command, this is the opposite. Give them nothing and add a few selected commands.

It is a variant of the ksh shell in OpenBSD. A shell is "restricted" if the '-r' option is used; if the basename the shell was invoked with was 'rksh'; or if the SHELL parameter is set to 'rksh'. The following re-strictions come into effect after the shell processes any profile and ENV files:

The cd command is disabled.

The SHELL, ENV, and PATH parameters cannot be changed.

Command names can't be specified with absolute or relative paths.

The -p option of the built-in command command can't be used.

Redirections that create files can't be used.

Plainly, this keeps the user to a very limited list of commands; only the ones granted by the superuser. In fact, without a PATH, they could do absolutely nothing; except log in. This is not very normal and usually set up for specific cases.

To paraphrase wikipedia: Most commonly, a console server provides a number of serial ports, which are then connected to the serial ports of other equipment; such as servers, routers, or switches. The consoles of the connected devices can then be accessed by connecting to the console server over a serial link, maintaining survivable connectivity that allows remote users to log in the various consoles without being physically nearby.

More specific to this case: We wanted to be able to get to a box that may not be accessible by ssh; for whatever reason. It is also particularly useful to get to things that are only available to the console, like.. bios, boot messages, error messages, etc.

Dedicated console server appliances are available from a number of manufacturers, like..

But these are way too expensive to for our needs. So, we set up a home grown console server in the datacenter. Our console server is a tiny box (Soekris 4801) with the sole purpose of listening for SSH connections from the internet and allowing serial access to attached boxen. Ideally, it would be hooked to a modem to be completely out-of-band. But hooking it to the switch with an external IP works fine for our needs. All told, it is an inexpensive solution. The price of the Soekris and a serial octopus hardly compares to the price of a dedicated appliance. [*]

cu "call UNIX" establishes a full-duplex connection to another machine, giving the appearance of being logged in directly on the remote CPU. It goes without saying that you must have a login on the machine (or equivalent) to which you wish to connect. It comes standard in OpenBSD.

We received an anonymous email taking exception to the above paragraphs. First of all, we were thrilled that anyone actually reads these articles! And then to find that this one would elicit enough emotion to warrant such a long (albeit misguided) response; we were overjoyed.

We began reading the response with excitement. But we were quickly disappointed to find that it was just an advertisement. Further more, we discovered we were being scolded and told what we 'should do'. What a let-down - we actually, and seriously, considered their products several years ago when this was originally written. Oh well..

On careful review, we still stand by the words written. The solution fit our needs, full stop. As a bonus, we could load the OS of our choice on the console server.. and use rksh.. without which, there would be no article!